Moving from KYC to KYB: ‘Know Your (Customer’s) Behavior’
Correspondent banking is a lucrative business model—but one that is by its very nature high risk. The compliance risks are manifold and often complex, but they are usually focused on the direct or indirect exposure to countries, entities and customers. Further complicating this is the fact that many of these risks are outside of the stated risk appetite, with transaction flows that are difficult to predict and monitor using traditional solutions developed for the more habitual retail customer.
Fundamentally, this practice opens a series of conduits to other banks, whose ability to effectively prevent illicit or illegal payments is taken for granted based on scheduled comprehensive reviews of static know-your-customer data sets. These data sets contain Wolfsberg Questionnaires, policy and procedure documents and a plethora of ownership, corporate governance articles and declarations. These static data sets are often time-consuming to collect as well as challenging to verify. In many cases, they are also marred by exclusions and limitations. These data points are usually coupled with the expert opinion of seasoned financial crime compliance (FCC) professionals, who conduct site visits, and observations and insights from relationship managers.
In Asia-Pacific this review process is particularly challenging due to language barriers, knowledge gaps, the high cost of acquiring the appropriate controls, and often outdated data privacy laws that hinder the free exchange of even the most basic KYC information.
Correspondent banking payment flows outside of stated initial projections and known seasonal peaks, for instance, the lead-up to Ramadan in Muslim countries. They are also difficult to predict, with most banks lacking end-to-end visibility over the payment flows of a correspondent. In other words, where payments truly originate or complete remains unknown.
The Gap between Technical and Effective Compliance
“The challenge that bedevils the industry is the gap between technical and effective compliance … a firm can have a program that is technically compliant, but it is not effective in identifying suspicious activity,” Alan Ketley, managing director for anti-money laundering strategy at MUFG Bank, said at the SWIFT International Banking Operations Seminar in October 2017.
The savvy are switching their attention to understanding the behavior of correspondents by using irrefutable data and focusing on “intention monitoring” as opposed to the increasingly lengthy KYC documentation and correspondent self-attestation review process. SWIFT, the global payments network and bank cooperative, has seen a seismic shift in the number of banks looking to better understand their correspondents’ behaviors via the SWIFT analytics portfolio. This empowers users to directly identify nesting, to understand the true origin and end points of payments they are involved in, and to dynamically query and alert on exposure to undesirable regions, correspondents and payment corridors.
In other words, the focal lens has shifted from human to machine analysis, from the static to the dynamic, and from the stated intention to the actual. This behavior is key.
Growing costs have seen banks and regulators alike streamlining where they can with the growth of national and global KYC utilities, including initiatives by the Monetary Authority of Singapore, the Hong Kong Association of Banks-Hong Kong Monetary Authority, and the SWIFT KYC Registry.
In order to transact with another bank over the SWIFT network, banks must exchange network keys or relationship management applications (RMA). As such, RMA closures—where one party decides to revoke access and closes the network key so that payments can no longer be exchanged with that correspondent—are a clear indicator of the health of cross-border trade relations.
In a bid to standardize and automate the KYC process, “network hygiene,” or the scheduled review, clean up and closure of RMAs, has also become the new normal. We have seen sustained increases in such closures and, in some extreme cases, region exits.
SWIFT business intelligence data shows an 80 percent increase in RMA rejections and revocations globally between 2015-17 (Exhibit 1). The Asia-Pacific region is on trend with a 76 percent increase. It is important to note that the majority of exits are still for commercial reasons, as opposed to unacceptable anti-money laundering (AML)-based risk, but this split is narrowing.
Exhibit 1: RMA Revocations/Rejections 2015-17 Sees an 80 Percent Increase Globally
However, there’s evidence that the pace demanded by increasing regulatory obligations is simply not sustainable in its current form. One global bank recently reported that every 60 minutes, 20,000 cross-border payments are screened, more than 1,700 names are screened for politically exposed persons, and 27 investigations are initiated, leading to two RMA exits.
Exhibit 2: RMA Revocations/Rejections 2015-17 Sees a 76 Percent Increase across Asia
Despite this rate, one research paper released earlier this year reported that 80 to 90 percent of suspicious activity reports raised in 2017 had no immediate value to law enforcement.
What Can Be Done?
The New York Police Department looked to drive the right social behaviors through their “broken windows” policing strategy of the 1990s, through zero tolerance of low-level antisocial behavior, such as graffiti and vandalism, to prevent more serious crimes from taking place. In much the same way, behavior-based analytics can change the way FCC professionals look at policing the risks of their correspondent network neighborhoods.
Much like the NYPD trying to drive the right social behaviors through high visibility and zero-tolerance policing, a switch from the static to the dynamic and behavior-based relationship analysis can ensure that FCC professionals are empowered to identify risks early and prevent their correspondents from falling into the “risky” category.
Asia-Pacific is at a tangible turning point in the FCC space. De-risking can provide the business with an impetus for change, and there are minimal legacy IT systems that hinder the adoption of new technology.
The conditions for a sudden leap in capability are ripe, and FCC practitioners in Asia have a unique opportunity to switch from “business prevention” to “business development” as their AML control frameworks. Their transparency, their effectiveness and their capabilities can become critical elements in their attractiveness as a correspondent banking partner, as well as their potential longevity to overseas correspondents looking for partners in the region. Simply put, they can show nervous overseas investors that their neighborhood is free of broken windows.
*The opinions in this piece are the author’s own and do not reflect in any way those of his employer.